use bcrypt for password hash

server/password-hash.js

@@ -0,0 +1,23 @@
+const passwordHashOld = require('password-hash');
+const bcrypt = require('bcrypt');
+const saltRounds = 10;
+
+exports.generate = function (password) {
+    return bcrypt.hashSync(password, saltRounds);
+}
+
+exports.verify = function (password, hash) {
+    if (isSHA1(hash)) {
+        return passwordHashOld.verify(password, hash)
+    } else {
+        return bcrypt.compareSync(password, hash);
+    }
+}
+
+function isSHA1(hash) {
+    return (typeof hash === "string" && hash.startsWith("sha1"))
+}
+
+exports.needRehash = function (hash) {
+    return isSHA1(hash);
+}

server/server.js

@@ -6,7 +6,7 @@ const { Server } = require("socket.io");
 const io = new Server(server);
 const dayjs = require("dayjs");
 const {R} = require("redbean-node");
-const passwordHash = require('password-hash');
+const passwordHash = require('./password-hash');
 const jwt = require('jsonwebtoken');
 const Monitor = require("./model/monitor");
 const fs = require("fs");
@@ -96,6 +96,14 @@ let needSetup = false;
 
             if (user && passwordHash.verify(data.password, user.password)) {
 
+                // Upgrade the hash to bcrypt
+                if (passwordHash.needRehash(user.password)) {
+                    await R.exec("UPDATE `user` SET password = ? WHERE id = ? ", [
+                        passwordHash.generate(data.password),
+                        user.id
+                    ]);
+                }
+
                 await afterLogin(socket, user)
 
                 callback({